From: Tom Haynes <tdh@excfb.com>
To: Chuck Lever <chuck.lever@oracle.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>
Subject: Re: Security negotiation
Date: Fri, 10 Jul 2009 15:55:58 -0500 [thread overview]
Message-ID: <4A57AADE.8080002@excfb.com> (raw)
In-Reply-To: <F2FB7FDE-00D9-4623-964D-3C632AD64C68@oracle.com>
Chuck Lever wrote:
>
>>
>> If mountd does not provide AUTH_SYS a mount request with no sec= will
>> fail. Should it try the first one in the list instead? What if the
>> first one is AUTH_NULL?
>
> In other words, I'm not sure what is the right behavior here. What it
> does now is probably suboptimal. I've browsed 2623 a bit, but it's
> not hitting me.
>
So we (OpenSolaris) changed our behavior inadvertently to do the
list in order. Which means we are trying AUTH_NONE against
a Linux server. (Bug is here:
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6834430)
We are considering two changes:
1) Use our default flavor (user configurable)
2) Order the list by strength based on the flavors we support.
The first option would get us to where you are going to be. AUTH_SYS will
probably be the default.
The second option would push AUTH_NONE to the end of the list, which
corresponds to my thinking of it as a wild card.
But it also means that if AUTH_SYS is not our default, then we might try
Kerberized access first. I think that is a surprise.
Also, if the server has already ordered the list based on the preference it
would like the client to try, then the client should honor that list if no
specific flavor is used.
So, I would say algorithmically:
1) If the client specifies a flavor, it uses that if the server supports
it. If the
server does not, the mount fails.
2) If the client has a default, it tries that first if the server
supports it. If the
server does not, then:
3) The client walks the array of flavors and uses the first that it supports
and the server supports.
next prev parent reply other threads:[~2009-07-10 20:56 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-10 18:07 Security negotiation Tom Haynes
[not found] ` <4A578372.1020005-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 18:57 ` Chuck Lever
2009-07-10 20:11 ` Chuck Lever
2009-07-10 20:55 ` Tom Haynes [this message]
[not found] ` <4A57AADE.8080002-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 21:37 ` Chuck Lever
2009-07-10 22:38 ` Tom Haynes
[not found] ` <4A57C2F3.4070109-8AdZ+HgO7noAvxtiuMwx3w@public.gmane.org>
2009-07-10 22:45 ` Trond Myklebust
[not found] ` <1247265922.8254.30.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:07 ` Tom Haynes
2009-07-13 16:20 ` Trond Myklebust
[not found] ` <1247502007.14524.3.camel-rJ7iovZKK19ZJLDQqaL3InhyD016LWXt@public.gmane.org>
2009-07-13 16:44 ` Tom Haynes
2009-07-13 17:41 ` J. Bruce Fields
2009-07-14 18:24 ` Tom Haynes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A57AADE.8080002@excfb.com \
--to=tdh@excfb.com \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox